PHP mlog.html and mylog.html vulnerabilities

Summary
Description:Trivially read any file on the remote system by exploiting these cgi scripts
Author:bryan berg <km@UNDERWORLD.NET>
Compromise:remotely read any httpd-readable file on the remote system
Vulnerable Systems:Those running vulnerable versions of the PHP distribution.
Date:19 October 1997
Details


Date: Sun, 19 Oct 1997 20:38:40 -0400
From: bryan berg <km@UNDERWORLD.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in PHP Example Logging Scripts

Whilst perusing various things included with the PHP distribution, I
noticed that there was a gaping security hole in a few of the example
scripts, specifically mlog.html and mylog.html, which allow any remote user
to read any arbitrary file on the system. (which is readable to the user
that httpd and thus PHP are running as) To top it all off, this exploit is
really easy to accomplish.

The problem lies in the line:

<?include "$screen">

in both mlog.html and mylog.html.  The idea is to include a file for each
type of logging stats, however, there is no escaping of slashes, so one can
specify any file on the system.

The exploit for dummies:

http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully
qualified path to any file on the system]

useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
systems..) and just about anything else.

Temporary fix:

insert the line

<?ereg_replace("/","",$screen);>

just before the <?include... line.

This problem exists in the most current distribution of PHP; I'm willing to
bet that it's been around for a while.  Hopefully, it will be officially
fixed soon... ;)

:bryan



---
         bryan berg % km@underworld.net % http://www.underworld.net/~km/
                  system administrator, the underworld project
               "i was blessed with a birth and a death and i guess
                 i just want some say in between" -- ani difranco

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]